Authentication is handled by two components: Authentication Provider and Authenticator.

The Autentication Provider needs to have full access to the HTTP request including the HTTP headers. It gets the credentials from the request and passes them to the Authenticator.

One Authentication Provider is registered for a server instance.

Basic Authentication Provider

The Basic Autentication Provider takes the username and the password from the HTTP header entry Authentication. The username and the password are seperated by a : and are Base64 encoded.

SystemAuthenticator

The framework provides the SystemAuthenticator which takes a username and a password and tries to authenticate at the operating system.

See IBM i system API Get Profile Handle.

ValidationListAuthenticator

The framework provides the ValidationListAuthenticator which takes a username and a password and tries to authenticate at the configured validation list. By using a validation list for authentication not every user who makes a HTTP request needs to have a user account on the system. He just needs to be added to the validation list.